Client API — API keys
Everything under/api/v1/client/** (and the MCP server at /mcp)
authenticates with a long-lived API key. Keys are prefixed sk_test_ or
sk_live_, and both header forms work:
401. Every call is scoped to the key’s
account — there is no cross-account access.
Admin API — JWT
Everything under/api/v1/monetization/** (the catalog, rules, invoices —
what the dashboard uses) requires a session token from login:
Authorization: Bearer <token>.
Tokens are signed with your JWT_SECRET and expire after 2 hours.
Which API do I use?
| You are… | Use |
|---|---|
| Your product’s backend checking entitlements, reporting usage | Client API, API key |
| Defining plans, features, pricing rules | Admin API, JWT |
| An AI agent operating the platform | MCP, API key |